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Control System 

This invention relates to a control system for a load such as a drive mechanism 
and in particular to a so-called "fail off 1 control system in which, when a fault 
is detected, the operation of the load is ceased or switched out. 

Control systems generally include fault detection systems which control 
the operation of the control system when a fault is detected. There are three 
main types of control system with fault detection: "fail on", in which the 
mechanism associated with the control system is maintained in an "on" state if 
a fault is detected (commonly used in situations (e.g. aircraft) in which to turn 
the system off may result in fatal consequences); "fail off 1 in which the 
mechanism associated with the control system is put into an "off state if a fault 
is detected (commonly used in situations (e.g. vehicle drive mechanisms) in 
which to leave the system on may result in fatal consequences); and "do 
nothing", in which the mechanism associated with the control system is 
maintained in its current state if a fault is detected and a log of a fault generated 
for later inspection and solution. 

The invention will now be described, by way of example only, with reference 

to the accompanying drawing, in which: 

Figure 1 is a first embodiment of a drive control system. 

A method and apparatus for controlling a load is described. In the following 
description, for the purposes of explanation, numerous specific details are set 
forth to provide a thorough understanding of the present invention. It will be 
apparent to a person skilled in the art that the present invention may be 
practised without these specific details. In other instance, well-known 
struGtures-and-devices-are-shown-in block diagram-form to avoid unnecessarily 
obscuring the present invention. 
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The needs identified above and other needs and objects that will become 
apparent from the following description are achieved in the present invention 
which comprises, in one aspect, a control system for a load, the system 
comprising a first microprocessor having an output to drive one side of a load 
5 and a second microprocessor having an output to drive the other side of the 
load. The system is arranged so that when either microprocessor detects a fault 
in the control of the load the load is switched off. In other aspects, the 
invention encompasses apparatus for carrying out the foregoing steps. 

10 The control system to be described is part of the electronic system used in a 
vehicle such as a car but the method is applicable to other electronic systems, 
especially those that require fail-off systems. 

Figure 1 shows a first embodiment of a drive control system. A load 10 is 
15 driven by two drivers, a high side driver 12 and a low side driver 14. The 
operation of the driver 12 is controlled by a first microprocessor 16 while 
driver 14 is controlled by a second microprocessor 18. For safety reasons the 
second microprocessor 18 is provided to monitor the operation of the drive 
control system. The drivers 12, 14 may take any suitable form e.g. MOSFET 
20 switches or the like. The drivers 12, 14 may drive the load 10 by various means 
such as a Pulse Width Modulation (PWM) signal or the like. 

Two microprocessors are provided to ensure a fail-safe operation of the drive 
control system. In normal operation, the main microprocessor 16 controls the 
25 high side driver 12 (the low side driver 14 normally being switched on) and 
monitors the operation of the load by monitoring the low side of the load 10 at 
point A. If it detects a fault it can switch off the load via driver 12. 
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Each microprocessor 16, 18 has programmed into it a set of rules by which the 
operation of the load is controlled. The set of rules of the second 
microprocessor 18 may be identical to the set of rules of the first 
microprocessor. Alternatively, the set of rules of the second microprocessor 18 
5 may be coarser than or a subset of the set of rules of the first microprocessor. 

In use, the second microprocessor 18 monitors the operation of the first 
microprocessor 16 and the operation of the load 10 to determine if the system is 
operating according to the set of rules of the second microprocessor. If either 
10 is not operating according to the set of rules of the second microprocessor, the 
microprocessor 18 switches out the load 10 by means of setting the low side 
driver 14 to open. Thus the load no longer has any effect on other systems. 

In a preferred implementation of the invention, the second microprocessor 
15 monitors the outputs of the first microprocessor that controls driver 12 to 
monitor for faults with the main microprocessor 16. For this purpose, a 
connection 1 9 is provided. A resistor Rl is also provided to ensure that a fault 
in microprocessor 18 is unable to turn on driver 12 (ie Rl must be relatively 
high compared with R2 and the output resistance of the driver within 
20 microprocessor 16). 

Each time a microprocessor is powered up, the microprocessor is reset which 
usually ^involves most, if not all, of the pins of the microprocessor being re-set 
as inputs. The programming of the microprocessor then resets the pins to their 
25 required state for proper operation. If the microprocessor incorrectly sets a pin 
to be an input rather than an output (or vice versa) clearly a fault with the 
microprocessor will exist. 
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In the arrangement of Figure 1 resistor R2 operates to ensure that if the output 
pin of the main microprocessor 16 that is connected to the high side driver 12 
switches to become an input pin, then the high side driver 12 is switched to 
open and the effect of the load switched out. Resistor R2 is connected between 
5 the ground rail and the output pin of the main microprocessor that is connected 
to the high side driver 12. R3 is connected between the ground rail and the 
output pin of the monitor microprocessor 18 that is connected to the low side 
driver 14 and ensures that driver 14 is switched off while the driver output pin 
of microprocessor 18 is high impedance. 

10 

The control system also includes a current sensor 20. This in itself may be a 
potential fault source since if it fails then the microprocessors are unable to 
detect this failure. This may be overcome by providing two current sensors in 
series. Alternatively, in a preferred embodiment of the invention, a back-up to 

15 the current sensor is provided by the monitor microprocessor 18 which 
calculates the current from the power supply voltage and the resistance of the 
load 10 by means of the equation I = V/R. This may also be achieved by 
monitoring the voltage at the high side driver 12 and the voltage at the low side 
driver 14, calculating the voltage drop across the load and, knowing the 

20 resistance of the load, calculating the load current. 

The results of the calculation may then be compared with the output of the 
current sensor 20 and if the difference between the two meets predetermined 
criteria (e.g. is less than or equal to a pre-determined threshold), then the 

25 monitor microprocessor 18 detects a fault with the current sensor and either 
switches out the load as a result (for a fail off system) or logs the fault for 
subsequent consideration. In the latter case, the control system would then rely 

on Jhe^current-calculation- to-monitor the current-which may- not-be- desirable,- - - 

depending upon the type of load and/or the field of application of the load. 
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The control system shown is applicable to many areas where the control of a 
drive is required. The invention has particular application to a gear control 
system, for instance as used in a vehicle, but this is not intended to be limiting. 
5 In the field of vehicular gear control systems, the load 10 may be a gear box 
selector, a clutch selector, a valve in a pneumatics. system etc. 

In the foregoing specification, the invention has been described with reference 
to specific embodiments thereof. It will however be evident that various 
10 modifications and changes may be made thereto without departing from the 
broader spirit and scope of the invention. The description and drawings are, 
accordingly, to be regarded in an illustrative rather than a restrictive sense. 
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Claims 

1. A control system for a load, the system comprising a first 
microprocessor having an output to drive one side of a load, a second 
microprocessor having an output to drive the other side of the load, the system 
being arranged so that when either microprocessor detects a fault in the control 
of the load the load is switched off. 

2. A system according to claim 1 wherein both microprocessors monitor 
the current in the load. 

3. A system according to claim 1 or 2 wherein a first resistor of relatively 
high value is connected between a driver output of the first microprocessor and 
an input of the second microprocessor, to allow the second microprocessor to 
monitor if the first microprocessor is attempting to turn on the load. 

4. A system according to claim 3 wherein a second resistor with a value 
less than that of the first resistor, is connected between the output of the first 
microprocessor and a low voltage to ensure a driver controlling the load is off 
whenever the output of the first microprocessor is in a high resistance state. 

5. A system according to any preceding claim wherein at least one of the 
microprocessors is arranged to calculate the current of the load by measuring 
the voltage across it and, when the load current does not meet pre-detennined 
criteria, to switch out the load. 

6. A system according to any preceding claim wherein the control system 
is a vehicular control-system^ - - - — 
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7. A system according to any preceding claim wherein the load is a gear 
box selector, a clutch selector or a valve. 

8. A control method for a load, the method comprising a first 
5 microprocessor having an output to drive one side of a load, a second 

microprocessor having an output to drive the other side of the load, the system 
being arranged so that when either microprocessor detects a fault in the control 
of the load the load is switched off. 

10 9. A method according to claim 8 further comprising both microprocessors 
monitoring the current in the load. 

10. A method according to claim 8 or 9 wherein the second microprocessor 
is arranged to monitor if the first microprocessor is attempting to turn the load 

15 on by means of a first resistor of relatively high value between the driver output 
of the first microprocessor and an input of the second microprocessor. 

11. A method according to claim 10 wherein the first microprocessor is 
monitored by means of a second resistor with a value less than that of the first 

20 resistor, the second resistor being connected between the output of the first 
microprocessor and a low voltage to ensure the driver controlling the load is off 
whenever the output of the first microprocessor is in a high resistance state. 

,12. A method according to any of claims 8 to 1 1 further comprising at least 
25 one of the microprocessors calculating the current of the load by measuring the 
voltage across it and, when the load current does not meet pre-determined 
criteria, switching out the load. 
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13. A method according to any of claims 8 to 12 wherein the control method 
is applied to a vehicular control system. 

14. A method according to any of claims 8 to 13 wherein the load is a gear 
5 box selector, a clutch selector or a valve. 

15. A control system for a load, the system comprising a first 
microprocessor having an output to provide a drive signal to drive the load, a 
second microprocessor to monitor the operation of the first microprocessor and 

10 the operation of the load, the system being arranged so that when the second 
microprocessor detects a fault in the operation of the first microprocessor 
and/or the operation of the load, the second microprocessor is arranged to 
switch out the load or halt the operation of the first microprocessor. 

15 16. A control method for a load, the method comprising driving a load by 
means of a drive signal provided by a first microprocessor, monitoring the 
operation of the first microprocessor and the operation of the load by means of 
a second microprocessor, when the second microprocessor detects a fault in the 
operation of the first microprocessor and/or the operation of the load, the 

20 second microprocessor switches out the load and/or halts the operation of the 
first microprocessor. 
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